Cyber Menace: New Threat for the Shipping Sector in Malaysia

In this ‘cyber-net’ era, more business activities are hooked-up online leading to more e-commerce environment being subjected to cyber threats. They become more vulnerable to hackers’ attack or disruption due to long power outage. The impact of these threats and risks to business functions or activities result in significant losses and customers’ relationship may be negatively affected.

In the maritime and shipping sector, connections between ships and shore and vice versa, containers tracking and monitoring systems linking to computer networks are subjected to system failure or malfunction. Many may not realize that they are sitting on a time bomb. ‘Cyber’ attack is a crime, a menace to business when it strikes. Long periods of power outage are another. Both have equal impact upon business disruptions. The internet connects businesses directly to millions of customers in real time and one can imagine what may happen when an application is down, disrupting connections.

Thus, goods will not be supplied on time, travelling will be delayed and freight payment with banks is disrupted. The worst case is when one cannot withdraw one’s money from banks. The company will be cut off from its business network and links to its customers. Additionally, the disruption may cause not only loss of revenue but also affects its reputation and customers’ confidence. Cyber threat is the hidden threat to shipping as well. It requires immediate attention and action to be mitigated if it really strikes. This will cushion the impact of threats to business activities. Nowadays, many organizations have started to implement a Business Continuity Management (BCM) comprising Business Continuity Plan, Emergency Response Plan, Crisis Communication Plan such that these plans, when properly exercised, will enable the organization to be prepared to respond and to reduce the impact when disaster strikes.

Introduction

A successful company is a company that manages its future. Timely information obtained based on forecast is to be verified and managed. It is to be converted as a valuable piece of guidance for business decisions. Lots of information can be obtained from the information superhighway, ‘the internet’. The convergence of technologies to form Information Communication Technology (ICT) in short, has somehow spurred business processes and activities to rely greatly on technology.

“What if?” would be the question to be asked by the system administrator or one may simply query what would become of the business if the system upon which it is relying is hacked and sabotaged, with the critical data getting corrupted, or if a power outage for long duration occurs, to name a few of the potential threats. What is needed to be done when such things happened? How to recover data or to reduce the impact of disruptions when it occurs? There would probably be no answers unless companies conduct a risk assessment of their business activities to evaluate the identified potential risks, its probability and the impact to its business when a disaster strikes.

Currently, ships’ navigators are using a few key technologies to navigate their vessels to the intended destinations, such as Global Positioning System (GPS), Vessel Automatic Identification System (AIS) and the Electronic Chart Display and Information System (ECDIS) plus several other new technologies applicable on board a ship. Navigators must be aware that these equipment or systems can easily be hacked, leading to compromised maritime security and safety of navigation. Their passage plans will be affected, resulting to ships’ delayed arrivals at destinations or to collisions and loss of data, which is detrimental to shipping companies.

What is done by other industries?
Banks and some government agencies have developed or are in the process of developing their Business Continuity Plan (BCP). Banks, in particular, are very concerned of these threats and, not surprisingly, they have somehow implemented their Business Continuity Management (BCM). Knowing what to do when a disaster strikes is a critical factor towards the company’s sustainability. Potential risks and mitigation plans will be laid down in the plan. Some banks even have an alternative site office to ensure minimal disruptions to their day to day business activities. At the same time, they will execute planned strategies and actions to bring back their business activities to the situation existing prior to the disaster as annotated in their Business Continuity Plan (BCP). Drills and exercises are conducted at regular intervals to ensure the strategies and plans adopted are capable of minimizing disruptions to their business activities and they are able to recover after a disaster.

Present Threat to Shipping (Pirates’ Attacks)
In recent years the Malaysian shipping sector is facing one of the world’s oldest crimes – ‘piracy’ and it has increasingly become a threat for the commercial shipping sector. The International Maritime Bureau (IMB) defines piracy as “an act of boarding and attempting to board any ship with the apparent intent to commit theft or any other crime and with the apparent intent or capability to use force in the furtherance of the act”. Piracy is, however, physical in nature and many shipping companies have taken precautions to protect their ships against such attacks, which include getting assistance from the uniformed agencies and conducting awareness training.

Cyber Attack
Shipping cyber security awareness is, currently, very little or non-existent in the industry. This is probably due to technology complexity, which appears as a great challenge to ensure adequate maritime cyber security be implemented by members of the shipping community.

Establishing good practices for technology development and implementation of ICT systems would be a common strategy to ensure “security by design” for all critical maritime ICT components. Shipping companies should be prepared to combat cyber threats, such as knowing how they are prepared in facing pirates’ attacks. Cyber threats are real and so are the consequences. It will be more vulnerable for companies that are operating in a paperless environment mode, where no physical records are kept or even produced.

Without an IT recovery plan or business continuity plan, it would be very difficult for any company to re-track its business activities to a normal state after a disaster (cyber-attack) strikes. Shipping companies may find it difficult to be protect their IT systems as compared to preparing for pirates’ attacks.

Preparedness Planning for Continuity of Shipping BusinessBusinesses have not much choice other than to prepare for the impact of the many hazards or incidents they may face in today’s world, including natural hazards like hurricanes, tornadoes, earthquakes and widespread serious illness such as the H1N1 flu virus pandemic. Human-caused hazards include accidents, acts of violence by people and acts of terrorism.

The above are basically natural disasters which require continuous preparedness in the event of it striking. Nonetheless, technology-related disaster or threats require similar preparedness in the event of it occurring. IT-related threats include the failure or malfunction of systems or software (glitches), prolonged power outages or even ‘cyber attacks’ by hackers, etc. Shipping companies which do not have any IT disaster recovery plan may have to start developing its Business Continuity Plan that encompasses Enterprises Risks Management Plan, Emergency Response Plan, IT Recovery Plan and Crisis Communication Plan to address the impact of such threats and disasters. A comprehensive and documented plan focused solely on continuing business operations will be used in the event of a disruption.

Threats and Risks’ Identification
The challenge for a company is to evaluate the risks and threats against its capabilities for the various high availability systems and technologies and choose those that meet its business and customers’ requirements. This article suggests the way forward for shipping companies to manage threats in this bio-technological era by identifying and evaluating the impact of disasters on business activities.

The shipping industry may have ignored cyber threats for a number of reasons, including a lack of publicly available case studies or it may believe that shipping is a hidden industry leading to hackers not really understanding shipping activities. Thus far, we have not heard of any stories of a vessel’s navigational equipment, such as GPS or AIS signals, being jammed or the head office unable to get connected with its vessels at sea. It would be naive to think that no one could do it maliciously. It must also be noted that even ships can be remotely controlled.

Cyber Security and Privacy

The Information Age has brought enormous benefits. However, progress typically brings new problems and our heavy dependence on computers raises the threat of hacking, glitches or sabotage. This has led to the development of an IT function known as ‘cyber security’. Cyber security protects networks, computers, programs and data from attacks, damages or unauthorized access.

A rigorous business impact analysis identifies the critical business processes in an organization, calculates the quantifiable loss risk for unplanned and planned IT outages affecting each of these business processes and outlines the effects of these outages.

Business ContinuityTo be a sustainable organization, it must manage the future. IT may just provide the enabling tools. What would
become of shipping businesses when systems and communication fail, since most ships depend on information technology (IT) in their day to day operations? It is almost impossible to operate and manage shipping lines manually these days. Therefore, we must take cyber security in the shipping sector seriously. Cyber security is much more than simple technical fixtures to manage all problems, as is sometimes portrayed in the media. It is just as much a question of culture and attitude as it is to technology. Security must be in focus during the product design, planning and engineering of a vessel, as well as during the commissioning of the IT equipment and operations of the ship. Eventually, IT Disaster Recovery and Business Continuity Plan would be required by shipping companies to reduce the impact of disruptions when a disaster strikes.

The Consequences
The operational and financial impacts resulting from the disruption of business functions and processes at the headquarters as well as onboard a ship can lead to serious business disruptions.The consequences can include:
• Unable to secure contracts
• Contractual penalties or loss of contractual bonuses
• Delayed cargo delivery
• Chaos in logistics and supply arrangement
• Increased expenses
• Regulatory fines
• Customer dissatisfaction or defection
• Delay of new business plans
• Image and reputation of companies.

RecommendationShipping companies are recommended to conduct Business Impact Analysis (BIA) on all its “Critical Functions”. A BIA predicts the consequences of disruptions of a business function and processes and gathers information needed to develop recovery strategies.

The impact or potential loss can be identified during a risk assessment process. A business impact analysis identifies the critical business processes in an organization, where the quantifiable loss risk for unplanned and planned IT outages affecting each of these business processes is calculated.

Locally, Malaysia Shipowners’ Association (MASA) may have to ensure its members develop their IT Recovery Plan or Business Continuity Plan. Operations may also be interrupted by the failure of a supplier of IT parts, including the hardware, software or line connecting services or delayed deliveries. There are many possible scenarios which should be considered.

Ships in ports interface with a broad range of supporting IT systems that links up the ship and port management. Operations can be disrupted when any of the system is not functioning or when a system is down.
It is also recommended that all shipping companies consider having a Disaster Recovery Site (DRS) as an alternative site to continue its operations in the event of a disaster.

Last, but not least it, is also recommended that ships use separate or alternative telecommunications network and power grid from the primary site to avoid a single point of failure of business.

Conclusion
As most business today depends on ICT that is now the lifeblood of a company, system failures is unacceptable. Unfortunately, it also has the potential to bring down a business. Shortcomings of an organization’s ability to manage the threat is one issue, but, the consequences of not doing so are more vital now and for the future. Businesses across all industries are very much dependent on ICT as an enabling technology. However, organizations are exposed to high risks when they are totally dependent on technologies, without having a backup plan when it fails to function. The risks and vulnerabilities that entangle with ICT can be beyond one’s thinking of how bad the impact of a cyber-attack would be.

Shipping companies must realize that cyber-attack will be an issue for now and the future and will be vulnerable if these companies are not prepared to face such threats appropriately. It is obvious that current maritime regulations and policies only consider physical aspects of security and safety to be important. Policy makers should consider adding cyber security aspects to the policy and information security as well. The threat to shipping companies must be mitigated in order to avoid long disruptions to their businesses or loss of business by developing a disaster recovery plan of their business operations.